We Prevent Cold Sores. DugganUSA Threat Intelligence as Daily Antiviral and Quarterly Vaccination, Not Hospital Admission.

May 8, 2026 · DugganUSA LLC

Two-thirds of the world's population carries herpes simplex type 1, dormant in their trigeminal ganglion, waiting for the moment of stress that lets it erupt across the lip in a visible, painful, and conspicuously timed cold sore. Job interview morning. Wedding day. The customer call where you are trying to close the round. The eruption is not the infection. The infection has been there all along. The eruption is what happens when the conditions become favorable for it to surface.

Every enterprise security program in the United States — Fortune 500, Fortune 5,000, K-12 district, regional bank, sixty-bed community hospital, ninety-seat law firm — has the same architecture. Latent compromise inside. Leaked credentials in old breach dumps that nobody has rotated. OAuth tokens issued to integrations that nobody can name anymore. Supply chain seeds from npm packages installed in 2022. An Oracle Cloud Korea scanner that has been knocking on the WordPress login page for the last 36 months. The infection is endemic. Eradication is not on the menu.

What is on the menu: suppressive antiviral therapy and vaccination. Daily generic, taken by the patient on their own initiative, no insurance pre-auth, no doctor's visit, no sales call. Or quarterly tiered protection that trains the defensive surface against the next eruption before the next stressor arrives. Or — the third option, the one most of the security industry sells — emergency hospital admission after the cold sore is already on your face during the demo.

We sell the first two. We do not sell the third.

The Product Aisle

The pharmacy aisle for endemic chronic threat exposure has three sections. Tell us where you actually live.

Section one: Daily generic suppressive therapy. This is our public STIX feed. Twenty-five queries per day, free, permanent. Indicators land in the feed within hours of public CVE disclosure or PoC publication. The feed serves 275 consumers across 46 countries — Microsoft, AT&T, Starlink, Hetzner, plus 271 others. The active ingredient is the same one in every higher tier. The administration is daily, the cost is zero, the side effects are minimal. Most enterprises with a lightweight security posture should already be on this and have not yet realized it.

Section two: Branded prescription suppressive therapy. Forty-five dollars per month gets you the Starter tier — five hundred queries per day, full feed access, fourteen-day lookback, Splunk ES integration, OPNsense blocklists. One hundred forty-five dollars per month is Researcher tier — two thousand queries per day, behavioral scoring, precursor signals, thirty-day lookback. Four hundred ninety-five per month is Professional — five thousand queries per day, cross-index correlation, supply-chain IOCs, ninety-day lookback. The active ingredient is the same as the generic. You are paying for higher dose, longer lookback, and the brand-name pharmacist who picks up when you call. Skip this tier if the generic suffices for your dosing requirements.

Section three: Vaccination protocols. Medusa Suite at $8,995 per month and Enterprise Unlimited at $24,995 per month are the prevention-grade products. Fifty thousand to one hundred thousand queries per day, full Medusa surveillance suite, custom signatures tuned to your environment, dedicated key pool, white-label option, named customer success manager, ninety-nine-point-nine percent SLA, supply-chain IOC ingestion before the public PoC drops. The vaccination tier is for organizations whose adversary surface justifies pre-emptive immunity training rather than suppressive treatment after exposure. Banks, hospitals, content platforms with eight-figure brand exposure, defense contractors, anyone in the Mythos Preview gated partner list, anyone whose Q-end immune dip would cost more than three hundred thousand dollars to manage.

For comparison: the brand-protection vendor we have spent considerable column inches discussing this week prices its mid-enterprise tier at an estimated two hundred thousand dollars per year for a product whose primary delivery mechanism is filing takedown notices after the eruption. That is not suppressive therapy. That is not vaccination. That is hospital admission, after the cold sore has already shown up to the wedding, billed at urgent-care rates.

The Eruption Pattern Is Predictable

Cold sores erupt under predictable triggers: ultraviolet exposure, hormonal fluctuation, sleep deprivation, immune-suppressing illness, acute stress. The medical literature is exhaustive on this. The patient who can recognize their own trigger pattern can dose suppressive antiviral preventively before the trigger arrives, and the eruption does not happen.

Breach disclosures have the same triggerability profile. Quarter-end is the immune dip — security teams under headcount stress, deployment velocity up, oversight reduced, attacker timing optimized. Vendor disclosure events are the seasonal allergen — Mythos in April, Storm-2561's Ivanti advisory two days ago, the Cloudways Breeze CVE last night, the Canvas/ShinyHunters compromise this morning. Acquisition due diligence is the immune-suppressing illness — your own legal and IT teams pulled into data-room work, monitoring degraded, attacker awareness elevated. The IPO roadshow is the wedding day. The keynote is the job interview.

The eruption does not happen at random. It happens when the trigger meets the latent infection. Most of our customer base is one trigger away from an eruption right now. The dosing schedule is what determines whether they see it coming or whether they see it on their face during the keynote.

What Suppressive Therapy Actually Looks Like, Operationally

In the nine calendar days between April 28 and May 7, we shipped eight hunt-tonight posts on eight separate CVEs and active campaigns — Microsoft SharePoint, Linux kernel container escape, Palo Alto PAN-OS root RCE, Ivanti's nine-CVE multi-product advisory, Cloudways Breeze Cache RCE at four hundred thousand sites, STAC6405 RMM-abuse, device-code vishing, ClearFake's Apothecary path-rebuild. This morning, hunt number nine on the ShinyHunters Canvas compromise across nine thousand schools.

Each post is a dose. The dose lands within hours of public disclosure. The indicators are in the STIX feed inside the same window. The hunt content is written for the analyst at eleven p.m. on a Wednesday with a coffee. That is the cadence of suppressive antiviral therapy when it is delivered correctly: small, daily, on schedule, before the trigger arrives. The patient does not need to call the doctor. The patient takes the pill in the morning, the suppression continues, the eruption does not happen.

The architectural reason we can ship at this cadence with a Minneapolis two-person team and a sub-five-hundred-dollars-per-month Azure budget is documented elsewhere — Three Buckets, Detection × Reasoning × Distribution, factorial reckoning across roughly ten Detection components, six Reasoning components, and eight Distribution channels for a latent product surface near four hundred eighty distinct combinations. We have shipped a small fraction of that surface. The infrastructure does not get rebuilt for each post. It gets reused. That is why the pill is cheap.

The 95% Honesty

Suppressive antiviral therapy is not one hundred percent effective. The clinical literature on valacyclovir for HSV-1 suppression cites efficacy in the seventy to eighty percent range for outbreak prevention at standard daily dose. The cap on what the medication can do is real. We acknowledge it. The 95% epistemic cap on every claim DugganUSA makes — compliance scores, threat intelligence confidence, detection coverage — is the same posture as the medical literature on suppressive antivirals. We do not claim eradication. We claim suppression at the highest rate the active ingredient supports, taken on the correct dosing schedule, by a patient who recognizes their own trigger pattern.

The customer who needs a one-hundred-percent guarantee that they will never have a breach is in the wrong pharmacy. There is no such product on the market, from any vendor, at any price, in any sector, for any threat surface. The vendor who claims otherwise is selling perjury under a different name.

The customer who needs the highest available rate of breach prevention at a defensible per-dose cost, with daily delivery of indicators that match their environment, is in the right pharmacy. We have been here the whole time.

Pick Your Section

If you are reading this and you are a SOC analyst at eleven p.m. on a Wednesday with a coffee, the public STIX feed is in section one. Free. Twenty-five queries per day. The active ingredient is the same one in every higher tier.

If you are reading this and you are a security director at a fifty-person-to-five-thousand-person company evaluating whether the daily-pill cost makes sense for your dosing requirements, the Starter tier is in section two. Forty-five dollars per month. We will give you a thirty-day trial against your environment if you want to verify the suppression rate before subscribing.

If you are reading this and you are the CISO at an organization whose Q-end immune dip would cost real money in real lawsuits and regulatory disclosure to manage, the vaccination protocol is in section three. Medusa Suite or Enterprise. We are at [email protected].

If you are reading this and you are already paying two hundred thousand dollars per year to a brand-protection vendor whose product delivery mechanism is a takedown notice after the cold sore has erupted, you are in the wrong section of the wrong store. The hospital is across the street. We are still in the pharmacy.

Summary

The infection is endemic. Eradication is not on the menu. Suppression and vaccination are. Daily, scheduled, by the patient, on the patient's own initiative, before the trigger arrives. That is the product. That is the pricing. That is the architecture.

Doppel sells the surgery. We sell the daily pill and the quarterly shot.

— Patrick Duggan

DugganUSA LLC, Minneapolis

Aye.

Receipts

• Public STIX feed: analytics.dugganusa.com/api/v1/stix-feed (free, 25 queries/day, permanent)

• 275 STIX consumers in 46 countries (Microsoft, AT&T, Starlink, Hetzner pulling daily)

• Pricing tiers: Starter $45/mo, Researcher $145/mo, Professional $495/mo, Gov/Press $995/mo, Medusa Suite $8,995/mo, Enterprise Unlimited $24,995/mo

• Nine hunt-tonight posts in ten days (Apr 28 — May 8): SharePoint, Linux Copy Fail, PAN-OS, Ivanti, Cloudways Breeze, STAC6405, device-code vishing, ClearFake Apothecary, ShinyHunters Canvas

• Three Buckets architecture: 10 Detection × 6 Reasoning × 8 Distribution = ~480 latent products from recombination of existing components

• 95% epistemic cap on all claims (compliance, detection, threat intelligence confidence)

• Suppressive antiviral efficacy literature: valacyclovir 70-80% outbreak prevention at standard daily dose

• Brand-protection vendor mid-enterprise tier estimate: $200K/year (publicly reported)

• Mythos Preview gated partner list: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks

• Reach us in the pharmacy: [email protected]

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.